C2 General 


Vodafone response to ICO consultation on Code of practice on age- 
appropriate design standards of online services likely to be 
accessed by children. 


Summary 


Vodafone agrees with the importance of protecting children in relation to their data 
and privacy when accessing Information Society Services (‘ISS’) online. We agree with 
the principles underlying the code, but consider that the proposed scope of the code 
is too wide, and includes services, which are not ISS. We therefore seek further 
clarification about the scope of the Code. 


The proposed requirements are onerous and specific, and combined with the wide 
scope, will be costly and time-consuming to implement, for many providers of online 
services and goods. We question the proportionality and practicality of some of the 
requirements, and, whilst supportive of the objective of the code, we would like the 
ICO to consider a more pragmatic way to fulfil its duties under the Data Protection Act 
2018. 


Furthermore, we note that in the current climate there is more policy work focused 
on online harm, and suggest government and ICO work closely together to ensure 
these policy initiatives do not duplicate or contradict each other. We also propose ICO 
engages closely with the expert organisations in this field, including Internet Matters. 


Please note that this is an initial response. We may comment in more detail and on 
further areas when we have had the opportunity to discuss them with the ICO. 


Scope of the Code 


The draft code was published in accordance with the ICO’s obligation under section 
123 of the Data Protection Act 2018: 


“The Commissioner must prepare a code of practice which contains 
such guidance as the Commissioner considers appropriate on 
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standards of age appropriate design of relevant information society 
services which are likely to be accessed by children.” 

The consultation sets out that the code is for providers of ISS. It applies to companies 
if they provide online products or services that process personal data and are likely to 
be accessed by children in the UK. 


To assess which types of companies will be subject to the code, it is helpful to look at 
the definition of an ISS": 


“any service normally provided for remuneration, at a distance, by electronic means 
and at the individual request of a recipient of services. 


For the purposes of this definition: 


(i) ‘at a distance’ means that the service is provided without the parties being 
simultaneously present; 


(ii) ‘by electronic means’ means that the service is sent initially and received at its 
destination by means of electronic equipment for the processing (including digital 
compression) and storage of data, and entirely transmitted, conveyed and received 
by wire, by radio, by optical means or by other electromagnetic means; 


(iii) ‘at the individual request of a recipient of services’ means that the service is 
provided through the transmission of data on individual request.” 


Vodafone, like most other telecom providers, sells its services through different 
channels. Customers can go to one of our shops, they can speak to an advisor in a 
call centre or on web chat, or go online to get information and advice about our 
products and services, and take out a contract with or without a device. If customers 
decide to take out a service or device online, the transaction will be carried out a 
distance, at the individual request of the customers, and it will be requested via 
electronic means. However, the service is not received by the customer via electronic 
means. In order to start using the services, a customer will need to receive a SIM card, 
and potentially a device, if they buy a service including equipment. The SIM card 
and/or device are typically delivered to the customer via mail, or a customer can 
collect them in store. 


The consultation document provides additional examples of services it proposes to 


be captured by the code: apps, programs, websites, games or community 
environments, and connected toys or devices with or without a screen. 


Thttps://eur-lex.europa.eu/Legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN 
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Toys or devices are ameans to access ISS and are not in themselves ISS. We consider 
this is an important distinction. Where children can go online, and buy and receive ISS 
through an online channel, we agree that companies offering these services should 
be captured by the code, if children are likely to access them. Where companies only 
provide the means (whether that is through a mobile phone, a laptop, a watch, a SIM 
card, or smart TV, sent in the post) through which customers can access ISS, we 
consider they fall outside the scope of an ISS and should not be captured in the scope 
of the code. The scope of the code would hugely expand if companies providing the 
means to access ISS are included; the likes of John Lewis, Argos, Dixons Carphone, 
Curry’s, and Ebay, including many smaller online retailers would all fall within the 
scope of the code. This seems to be disproportionate, and very costly for companies 
that do not provide ISS. 


It would be helpful if ICO could clarify the scope of the code, and make clear that 
companies providing the means to access ISS via on online platform are excluded 
from the scope. 


Notwithstanding our view that the definition of ISS excludes us from the scope of the 
code, we have set out further comments on the scope and standards below. 


Further comments on the scope and the standards 


Scope 

We would like to get clarification on the point regarding services ‘likely’ to be 
accessed by children. The word ‘Likely’ provides little certainty in terms of the 
circumstances in which companies need to meet the requirements. The code then 
goes into more detail, and talks about ‘only a small proportion of the user base being 
children’, which does not provide any further clarity (and is potentially at odds with 
the word likely). In order to give certainty to industry, we request the ICO provides a 
clear definition of ‘likely’ in this situation. 


Generally, to be able to deliver service in an age-appropriate manner, companies 
either have to apply the standards to all users or else have robust age-verification 
mechanisms to distinguish between adult and child users. In practice, this means 
providing a service, which is appropriate for all users, but which includes the option to 
provide age-verification options for adults to opt out of the code’s protections. It 
would be helpful if ICO could clarify that is indeed what it intends, and how such adult 
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age verification would work in practice, given the significant investment potentially 
required. 


Standards 


We agree that relevant ISS, which are likely to be accessed by children, should be 
designed in such a way that they serve the best interests of the child. One of the 
issues with the current proposals is the scope and the detailed requirements, which 
make it onerous and expensive to comply. We therefore expect many companies 
would have to implement it in ‘one size fits all’ way, adapted to the youngest age 
groups. This means that huge parts of the services available and potentially 
appropriate for the older age groups will not be available to these groups. They may 
miss out on services, which are age appropriate, which would be counter-productive 
to their best interests. We urge ICO to seek the right balance between protection 
children, and ensuring they can access those services that help their development 
and engagement with the wider world. 


As set out above, taking into account the requirements, companies are likely to 
implement the code in a way that meets the requirements for the youngest children. 
Age-appropriate application would therefore result in companies collecting more 
personal data than they currently do. This seems at odds with the requirement of 
data minimisation. In addition, any age verification system used must be ‘robust and 
privacy friendly’ but the ICO has not provided any guidance on how this could be 
achieved. It would be helpful if ICO could set out examples of how this could be 
achieved in practice. 


Regarding the requirement to be transparent and provide privacy information in a 
clear and prominent place, we would like to know if different versions of this 
information are required for each of the age brackets. Will the ICO develop further 
guidance for each of the age groups? 


The code requires geo-location to be off by default. There are services, including 
services for children, whose main purpose it is to provide the location of children to 
their parents. It would be good if the ICO could confirm that for these services, geo- 
location will be activated. More generally, there is a risk that switching off a number of 
functionalities by default may decrease the development of innovative services, 
which could be in children and parents’ best interests. 
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In our comments on the scope of the code, we already discussed connected toys and 
devices and our view that these are not ISS, and therefore not covered by the code. 
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